Windows 2003 Forest Trust between partner companies?
October 10, 2008 6:23 AM   Subscribe

Idiot-Check Filter: I work for a company that is starting to explore a much closer relationship with one of its partners. Both of these companies are running Active Directory domains on Windows 2003 with Exchange 2007 for messaging. Does it make sense to create a Forest Trust between our two companies over a VPN?

Right now, some of our personnel need email addresses on their domain. We are currently granted web mail access to their Exchange 2007 server. It would be nice if we could simply allow their server to route these emails to the user's mailbox in our Exchange 2007 server. I'm a trust newbie, however, and don't even know if this is possible or recommended. I haven't found anything out there explaining how to do it. I do guess that reply-to addressing in Outlook/Entourage might be an intractable problem.

Eventually we also might want access to (some of) each other's network drives. Lack of this has already been a problem. This, I think, is fairly straightforward.

I understand that joining our two domains into a forest would probably grant us all too much access to each other's resources. But joining two one-domain forests into a forest trust should give us more granular control. Is this correct?
posted by rocketpup to Computers & Internet (4 answers total) 1 user marked this as a favorite
Best answer: I don't have a precise answer for some of the technical questions but I implore you to consider the governance, support and liability (both personal and corporate) issues you would have about connecting your main corporate authentication/authorization source with an outside organization. The technical details may be simple but you will want to nail down all sorts of process and agreements with the other organization before you do anything than may end badly.

As for a technology solution, you may consider Active Directory Federation Services which was designed with the idea of two wholly seperate organizations securely authenticating/authorizing each other's users without going through native AD trusts.
posted by mmascolino at 7:24 AM on October 10, 2008

Best answer: ADFS is what you are looking for, you should have no problems with it. I would warn you to get everything you do in writing from someone in a c-level position, preferably as a directive from the board of directives. What you absolutely don't want is some higher up with little clue as to the security implications of doing this to issue this edict without thought to the underlying security schema your organization has. Sorry, not to be condescending, but I've been asked to do things I absolutely refused to do, got shit for it at the time and several years (yes years) later it was revealed that it was actually the right thing to do. This is the sort of thing that many executives do not fully understand and it is the job of those of us in the trenches to come up with a solution to their problem so they can achieve what they want without creating potential liabilities. It is rather thankless, yes even after the fact, but it is what should be done. I apologize if this came across as patronizing, did not know how else to phrase it.
posted by geoff. at 8:50 AM on October 10, 2008

Best answer: The email stuff can be done on the MTA level. will go to No need for trusts, webmail, etc. Or just enable their client to open a second IMAP or MAPI box (rpc over http or vpn).

The shared files can be handled via sharepoint or some other groupware. This is what we do with "tight" external partners and clients. We dont give them keys to the kingdom, just exactly what they need.

Trusting two domains like this is pretty serious stuff, and in imho, not justified by this scenario.
posted by damn dirty ape at 9:35 AM on October 10, 2008

Response by poster: Thanks, everyone, for the idiot check and suggestions. I haven't been asked to do anything yet, but if previous experience is any guide, I will be. This provides me with a couple different directions to take apart from the trust business.
posted by rocketpup at 10:10 AM on October 10, 2008

« Older Calling all New Yorkers and Graphic Designers   |   Party On! The finer points of term life insurance... Newer »
This thread is closed to new comments.